devstack/inc/rootwrap
Davanum Srinivas 8afbaa1c80 Support for running Nova with oslo.rootwrap daemon
Nova is being enhanced to use rootwrap as a daemon. For this effort,
we need an additional entry for nova-rootwrap-daemon in the
sudoers.d/ directory.

Needed by:
I57dc2efa39b86fa1fa20730ad70d056e87617c96

Change-Id: I80c7b9dd8e9e0f940aa4e54a95b241dfc40d3574
2015-05-15 04:26:04 +00:00

88 lines
3.0 KiB
Bash

#!/bin/bash
#
# **inc/rootwrap** - Rootwrap functions
#
# Handle rootwrap's foibles
# Uses: ``STACK_USER``
# Defines: ``SUDO_SECURE_PATH_FILE``
# Save trace setting
INC_ROOT_TRACE=$(set +o | grep xtrace)
set +o xtrace
# Accumulate all additions to sudo's ``secure_path`` in one file read last
# so they all work in a venv configuration
SUDO_SECURE_PATH_FILE=${SUDO_SECURE_PATH_FILE:-/etc/sudoers.d/zz-secure-path}
# Add a directory to the common sudo ``secure_path``
# add_sudo_secure_path dir
function add_sudo_secure_path {
local dir=$1
local line
# This is pretty simplistic for now - assume only the first line is used
if [[ -r SUDO_SECURE_PATH_FILE ]]; then
line=$(head -1 $SUDO_SECURE_PATH_FILE)
else
line="Defaults:$STACK_USER secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin"
fi
# Only add ``dir`` if it is not already present
if [[ $line =~ $dir ]]; then
echo "${line}:$dir" | sudo tee $SUDO_SECURE_PATH_FILE
sudo chmod 400 $SUDO_SECURE_PATH_FILE
sudo chown root:root $SUDO_SECURE_PATH_FILE
fi
}
# Configure rootwrap
# Make a load of assumptions otherwise we'll have 6 arguments
# configure_rootwrap project
function configure_rootwrap {
local project=$1
local project_uc=$(echo $1|tr a-z A-Z)
local bin_dir="${project_uc}_BIN_DIR"
bin_dir="${!bin_dir}"
local project_dir="${project_uc}_DIR"
project_dir="${!project_dir}"
local rootwrap_conf_src_dir="${project_dir}/etc/${project}"
local rootwrap_bin="${bin_dir}/${project}-rootwrap"
# Start fresh with rootwrap filters
sudo rm -rf /etc/${project}/rootwrap.d
sudo install -d -o root -g root -m 755 /etc/${project}/rootwrap.d
sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.d/*.filters /etc/${project}/rootwrap.d
# Set up rootwrap.conf, pointing to /etc/*/rootwrap.d
sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.conf /etc/${project}/rootwrap.conf
sudo sed -e "s:^filters_path=.*$:filters_path=/etc/${project}/rootwrap.d:" -i /etc/${project}/rootwrap.conf
# Set up the rootwrap sudoers
local tempfile=$(mktemp)
# Specify rootwrap.conf as first parameter to rootwrap
rootwrap_sudo_cmd="${rootwrap_bin} /etc/${project}/rootwrap.conf *"
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >$tempfile
if [ -f ${bin_dir}/${project}-rootwrap-daemon ]; then
# rootwrap daemon does not need any parameters
rootwrap_sudo_cmd="${rootwrap_bin}-daemon /etc/${project}/rootwrap.conf"
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >>$tempfile
fi
chmod 0440 $tempfile
sudo chown root:root $tempfile
sudo mv $tempfile /etc/sudoers.d/${project}-rootwrap
# Add bin dir to sudo's secure_path because rootwrap is being called
# without a path because BROKEN.
add_sudo_secure_path $(dirname $rootwrap_bin)
}
# Restore xtrace
$INC_ROOT_TRACE
# Local variables:
# mode: shell-script
# End: